1/** 2 * \file cipher.c 3 * 4 * \brief Generic cipher wrapper for Mbed TLS 5 * 6 * \author Adriaan de Jong <dejong@fox-it.com> 7 * 8 * Copyright The Mbed TLS Contributors 9 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 10 */ 11 12#include "common.h" 13 14#if defined(MBEDTLS_CIPHER_C) 15 16#include "mbedtls/cipher.h" 17#include "cipher_wrap.h" 18#include "mbedtls/platform_util.h" 19#include "mbedtls/error.h" 20#include "mbedtls/constant_time.h" 21#include "constant_time_internal.h" 22 23#include <stdlib.h> 24#include <string.h> 25 26#if defined(MBEDTLS_CHACHAPOLY_C) 27#include "mbedtls/chachapoly.h" 28#endif 29 30#if defined(MBEDTLS_GCM_C) 31#include "mbedtls/gcm.h" 32#endif 33 34#if defined(MBEDTLS_CCM_C) 35#include "mbedtls/ccm.h" 36#endif 37 38#if defined(MBEDTLS_CHACHA20_C) 39#include "mbedtls/chacha20.h" 40#endif 41 42#if defined(MBEDTLS_CMAC_C) 43#include "mbedtls/cmac.h" 44#endif 45 46#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 47#include "psa/crypto.h" 48#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 49 50#if defined(MBEDTLS_NIST_KW_C) 51#include "mbedtls/nist_kw.h" 52#endif 53 54#include "mbedtls/platform.h" 55 56static int supported_init = 0; 57 58static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base( 59 const mbedtls_cipher_info_t *info) 60{ 61 return mbedtls_cipher_base_lookup_table[info->base_idx]; 62} 63 64const int *mbedtls_cipher_list(void) 65{ 66 const mbedtls_cipher_definition_t *def; 67 int *type; 68 69 if (!supported_init) { 70 def = mbedtls_cipher_definitions; 71 type = mbedtls_cipher_supported; 72 73 while (def->type != 0) { 74 *type++ = (*def++).type; 75 } 76 77 *type = 0; 78 79 supported_init = 1; 80 } 81 82 return mbedtls_cipher_supported; 83} 84 85const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( 86 const mbedtls_cipher_type_t cipher_type) 87{ 88 const mbedtls_cipher_definition_t *def; 89 90 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 91 if (def->type == cipher_type) { 92 return def->info; 93 } 94 } 95 96 return NULL; 97} 98 99const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( 100 const char *cipher_name) 101{ 102 const mbedtls_cipher_definition_t *def; 103 104 if (NULL == cipher_name) { 105 return NULL; 106 } 107 108 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 109 if (!strcmp(def->info->name, cipher_name)) { 110 return def->info; 111 } 112 } 113 114 return NULL; 115} 116 117const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( 118 const mbedtls_cipher_id_t cipher_id, 119 int key_bitlen, 120 const mbedtls_cipher_mode_t mode) 121{ 122 const mbedtls_cipher_definition_t *def; 123 124 for (def = mbedtls_cipher_definitions; def->info != NULL; def++) { 125 if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id && 126 mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen && 127 def->info->mode == mode) { 128 return def->info; 129 } 130 } 131 132 return NULL; 133} 134 135#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 136static inline psa_key_type_t mbedtls_psa_translate_cipher_type( 137 mbedtls_cipher_type_t cipher) 138{ 139 switch (cipher) { 140 case MBEDTLS_CIPHER_AES_128_CCM: 141 case MBEDTLS_CIPHER_AES_192_CCM: 142 case MBEDTLS_CIPHER_AES_256_CCM: 143 case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG: 144 case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG: 145 case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG: 146 case MBEDTLS_CIPHER_AES_128_GCM: 147 case MBEDTLS_CIPHER_AES_192_GCM: 148 case MBEDTLS_CIPHER_AES_256_GCM: 149 case MBEDTLS_CIPHER_AES_128_CBC: 150 case MBEDTLS_CIPHER_AES_192_CBC: 151 case MBEDTLS_CIPHER_AES_256_CBC: 152 case MBEDTLS_CIPHER_AES_128_ECB: 153 case MBEDTLS_CIPHER_AES_192_ECB: 154 case MBEDTLS_CIPHER_AES_256_ECB: 155 return PSA_KEY_TYPE_AES; 156 157 /* ARIA not yet supported in PSA. */ 158 /* case MBEDTLS_CIPHER_ARIA_128_CCM: 159 case MBEDTLS_CIPHER_ARIA_192_CCM: 160 case MBEDTLS_CIPHER_ARIA_256_CCM: 161 case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG: 162 case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG: 163 case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG: 164 case MBEDTLS_CIPHER_ARIA_128_GCM: 165 case MBEDTLS_CIPHER_ARIA_192_GCM: 166 case MBEDTLS_CIPHER_ARIA_256_GCM: 167 case MBEDTLS_CIPHER_ARIA_128_CBC: 168 case MBEDTLS_CIPHER_ARIA_192_CBC: 169 case MBEDTLS_CIPHER_ARIA_256_CBC: 170 return( PSA_KEY_TYPE_ARIA ); */ 171 172 default: 173 return 0; 174 } 175} 176 177static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode( 178 mbedtls_cipher_mode_t mode, size_t taglen) 179{ 180 switch (mode) { 181 case MBEDTLS_MODE_ECB: 182 return PSA_ALG_ECB_NO_PADDING; 183 case MBEDTLS_MODE_GCM: 184 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen); 185 case MBEDTLS_MODE_CCM: 186 return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen); 187 case MBEDTLS_MODE_CCM_STAR_NO_TAG: 188 return PSA_ALG_CCM_STAR_NO_TAG; 189 case MBEDTLS_MODE_CBC: 190 if (taglen == 0) { 191 return PSA_ALG_CBC_NO_PADDING; 192 } else { 193 return 0; 194 } 195 default: 196 return 0; 197 } 198} 199#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 200 201void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx) 202{ 203 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 204} 205 206void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx) 207{ 208 if (ctx == NULL) { 209 return; 210 } 211 212#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 213 if (ctx->psa_enabled == 1) { 214 if (ctx->cipher_ctx != NULL) { 215 mbedtls_cipher_context_psa * const cipher_psa = 216 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 217 218 if (cipher_psa->slot_state == MBEDTLS_CIPHER_PSA_KEY_OWNED) { 219 /* xxx_free() doesn't allow to return failures. */ 220 (void) psa_destroy_key(cipher_psa->slot); 221 } 222 223 mbedtls_zeroize_and_free(cipher_psa, sizeof(*cipher_psa)); 224 } 225 226 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t)); 227 return; 228 } 229#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 230 231#if defined(MBEDTLS_CMAC_C) 232 if (ctx->cmac_ctx) { 233 mbedtls_zeroize_and_free(ctx->cmac_ctx, 234 sizeof(mbedtls_cmac_context_t)); 235 } 236#endif 237 238 if (ctx->cipher_ctx) { 239 mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx); 240 } 241 242 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t)); 243} 244 245int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, 246 const mbedtls_cipher_info_t *cipher_info) 247{ 248 if (cipher_info == NULL) { 249 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 250 } 251 252 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 253 254 if (mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) { 255 ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func(); 256 if (ctx->cipher_ctx == NULL) { 257 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 258 } 259 } 260 261 ctx->cipher_info = cipher_info; 262 263 return 0; 264} 265 266#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 267int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx, 268 const mbedtls_cipher_info_t *cipher_info, 269 size_t taglen) 270{ 271 psa_algorithm_t alg; 272 mbedtls_cipher_context_psa *cipher_psa; 273 274 if (NULL == cipher_info || NULL == ctx) { 275 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 276 } 277 278 /* Check that the underlying cipher mode and cipher type are 279 * supported by the underlying PSA Crypto implementation. */ 280 alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen); 281 if (alg == 0) { 282 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 283 } 284 if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) { 285 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 286 } 287 288 memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); 289 290 cipher_psa = mbedtls_calloc(1, sizeof(mbedtls_cipher_context_psa)); 291 if (cipher_psa == NULL) { 292 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 293 } 294 cipher_psa->alg = alg; 295 ctx->cipher_ctx = cipher_psa; 296 ctx->cipher_info = cipher_info; 297 ctx->psa_enabled = 1; 298 return 0; 299} 300#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 301 302int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, 303 const unsigned char *key, 304 int key_bitlen, 305 const mbedtls_operation_t operation) 306{ 307 if (operation != MBEDTLS_ENCRYPT && operation != MBEDTLS_DECRYPT) { 308 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 309 } 310 if (ctx->cipher_info == NULL) { 311 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 312 } 313#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 314 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) && 315 MBEDTLS_DECRYPT == operation) { 316 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 317 } 318#endif 319 320#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 321 if (ctx->psa_enabled == 1) { 322 mbedtls_cipher_context_psa * const cipher_psa = 323 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 324 325 size_t const key_bytelen = ((size_t) key_bitlen + 7) / 8; 326 327 psa_status_t status; 328 psa_key_type_t key_type; 329 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 330 331 /* PSA Crypto API only accepts byte-aligned keys. */ 332 if (key_bitlen % 8 != 0) { 333 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 334 } 335 336 /* Don't allow keys to be set multiple times. */ 337 if (cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET) { 338 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 339 } 340 341 key_type = mbedtls_psa_translate_cipher_type( 342 ((mbedtls_cipher_type_t) ctx->cipher_info->type)); 343 if (key_type == 0) { 344 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 345 } 346 psa_set_key_type(&attributes, key_type); 347 348 /* Mbed TLS' cipher layer doesn't enforce the mode of operation 349 * (encrypt vs. decrypt): it is possible to setup a key for encryption 350 * and use it for AEAD decryption. Until tests relying on this 351 * are changed, allow any usage in PSA. */ 352 psa_set_key_usage_flags(&attributes, 353 PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); 354 psa_set_key_algorithm(&attributes, cipher_psa->alg); 355 356 status = psa_import_key(&attributes, key, key_bytelen, 357 &cipher_psa->slot); 358 switch (status) { 359 case PSA_SUCCESS: 360 break; 361 case PSA_ERROR_INSUFFICIENT_MEMORY: 362 return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; 363 case PSA_ERROR_NOT_SUPPORTED: 364 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 365 default: 366 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 367 } 368 /* Indicate that we own the key slot and need to 369 * destroy it in mbedtls_cipher_free(). */ 370 cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED; 371 372 ctx->key_bitlen = key_bitlen; 373 ctx->operation = operation; 374 return 0; 375 } 376#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 377 378 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 && 379 (int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) { 380 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 381 } 382 383 ctx->key_bitlen = key_bitlen; 384 ctx->operation = operation; 385 386#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 387 /* 388 * For OFB, CFB and CTR mode always use the encryption key schedule 389 */ 390 if (MBEDTLS_ENCRYPT == operation || 391 MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 392 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 393 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 394 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key, 395 ctx->key_bitlen); 396 } 397 398 if (MBEDTLS_DECRYPT == operation) { 399 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key, 400 ctx->key_bitlen); 401 } 402#else 403 if (operation == MBEDTLS_ENCRYPT || operation == MBEDTLS_DECRYPT) { 404 return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key, 405 ctx->key_bitlen); 406 } 407#endif 408 409 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 410} 411 412int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx, 413 const unsigned char *iv, 414 size_t iv_len) 415{ 416 size_t actual_iv_size; 417 418 if (ctx->cipher_info == NULL) { 419 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 420 } 421#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 422 if (ctx->psa_enabled == 1) { 423 /* While PSA Crypto has an API for multipart 424 * operations, we currently don't make it 425 * accessible through the cipher layer. */ 426 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 427 } 428#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 429 430 /* avoid buffer overflow in ctx->iv */ 431 if (iv_len > MBEDTLS_MAX_IV_LENGTH) { 432 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 433 } 434 435 if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) { 436 actual_iv_size = iv_len; 437 } else { 438 actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info); 439 440 /* avoid reading past the end of input buffer */ 441 if (actual_iv_size > iv_len) { 442 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 443 } 444 } 445 446#if defined(MBEDTLS_CHACHA20_C) 447 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) { 448 /* Even though the actual_iv_size is overwritten with a correct value 449 * of 12 from the cipher info, return an error to indicate that 450 * the input iv_len is wrong. */ 451 if (iv_len != 12) { 452 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 453 } 454 455 if (0 != mbedtls_chacha20_starts((mbedtls_chacha20_context *) ctx->cipher_ctx, 456 iv, 457 0U)) { /* Initial counter value */ 458 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 459 } 460 } 461#if defined(MBEDTLS_CHACHAPOLY_C) 462 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 && 463 iv_len != 12) { 464 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 465 } 466#endif 467#endif 468 469#if defined(MBEDTLS_GCM_C) 470 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 471 return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx, 472 ctx->operation, 473 iv, iv_len); 474 } 475#endif 476 477#if defined(MBEDTLS_CCM_C) 478 if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 479 int set_lengths_result; 480 int ccm_star_mode; 481 482 set_lengths_result = mbedtls_ccm_set_lengths( 483 (mbedtls_ccm_context *) ctx->cipher_ctx, 484 0, 0, 0); 485 if (set_lengths_result != 0) { 486 return set_lengths_result; 487 } 488 489 if (ctx->operation == MBEDTLS_DECRYPT) { 490 ccm_star_mode = MBEDTLS_CCM_STAR_DECRYPT; 491 } else if (ctx->operation == MBEDTLS_ENCRYPT) { 492 ccm_star_mode = MBEDTLS_CCM_STAR_ENCRYPT; 493 } else { 494 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 495 } 496 497 return mbedtls_ccm_starts((mbedtls_ccm_context *) ctx->cipher_ctx, 498 ccm_star_mode, 499 iv, iv_len); 500 } 501#endif 502 503 if (actual_iv_size != 0) { 504 memcpy(ctx->iv, iv, actual_iv_size); 505 ctx->iv_size = actual_iv_size; 506 } 507 508 return 0; 509} 510 511int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx) 512{ 513 if (ctx->cipher_info == NULL) { 514 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 515 } 516 517#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 518 if (ctx->psa_enabled == 1) { 519 /* We don't support resetting PSA-based 520 * cipher contexts, yet. */ 521 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 522 } 523#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 524 525 ctx->unprocessed_len = 0; 526 527 return 0; 528} 529 530#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 531int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx, 532 const unsigned char *ad, size_t ad_len) 533{ 534 if (ctx->cipher_info == NULL) { 535 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 536 } 537 538#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 539 if (ctx->psa_enabled == 1) { 540 /* While PSA Crypto has an API for multipart 541 * operations, we currently don't make it 542 * accessible through the cipher layer. */ 543 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 544 } 545#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 546 547#if defined(MBEDTLS_GCM_C) 548 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 549 return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx, 550 ad, ad_len); 551 } 552#endif 553 554#if defined(MBEDTLS_CHACHAPOLY_C) 555 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 556 int result; 557 mbedtls_chachapoly_mode_t mode; 558 559 mode = (ctx->operation == MBEDTLS_ENCRYPT) 560 ? MBEDTLS_CHACHAPOLY_ENCRYPT 561 : MBEDTLS_CHACHAPOLY_DECRYPT; 562 563 result = mbedtls_chachapoly_starts((mbedtls_chachapoly_context *) ctx->cipher_ctx, 564 ctx->iv, 565 mode); 566 if (result != 0) { 567 return result; 568 } 569 570 return mbedtls_chachapoly_update_aad((mbedtls_chachapoly_context *) ctx->cipher_ctx, 571 ad, ad_len); 572 } 573#endif 574 575 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 576} 577#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 578 579int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input, 580 size_t ilen, unsigned char *output, size_t *olen) 581{ 582 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 583 size_t block_size; 584 585 if (ctx->cipher_info == NULL) { 586 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 587 } 588 589#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 590 if (ctx->psa_enabled == 1) { 591 /* While PSA Crypto has an API for multipart 592 * operations, we currently don't make it 593 * accessible through the cipher layer. */ 594 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 595 } 596#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 597 598 *olen = 0; 599 block_size = mbedtls_cipher_get_block_size(ctx); 600 if (0 == block_size) { 601 return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT; 602 } 603 604 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) { 605 if (ilen != block_size) { 606 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 607 } 608 609 *olen = ilen; 610 611 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx, 612 ctx->operation, input, 613 output))) { 614 return ret; 615 } 616 617 return 0; 618 } 619 620#if defined(MBEDTLS_GCM_C) 621 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) { 622 return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx, 623 input, ilen, 624 output, ilen, olen); 625 } 626#endif 627 628#if defined(MBEDTLS_CCM_C) 629 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) { 630 return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx, 631 input, ilen, 632 output, ilen, olen); 633 } 634#endif 635 636#if defined(MBEDTLS_CHACHAPOLY_C) 637 if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) { 638 *olen = ilen; 639 return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx, 640 ilen, input, output); 641 } 642#endif 643 644 if (input == output && 645 (ctx->unprocessed_len != 0 || ilen % block_size)) { 646 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 647 } 648 649#if defined(MBEDTLS_CIPHER_MODE_CBC) 650 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) { 651 size_t copy_len = 0; 652 653 /* 654 * If there is not enough data for a full block, cache it. 655 */ 656 if ((ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding && 657 ilen <= block_size - ctx->unprocessed_len) || 658 (ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding && 659 ilen < block_size - ctx->unprocessed_len) || 660 (ctx->operation == MBEDTLS_ENCRYPT && 661 ilen < block_size - ctx->unprocessed_len)) { 662 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input, 663 ilen); 664 665 ctx->unprocessed_len += ilen; 666 return 0; 667 } 668 669 /* 670 * Process cached data first 671 */ 672 if (0 != ctx->unprocessed_len) { 673 copy_len = block_size - ctx->unprocessed_len; 674 675 memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input, 676 copy_len); 677 678 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 679 ctx->operation, 680 block_size, ctx->iv, 681 ctx-> 682 unprocessed_data, 683 output))) { 684 return ret; 685 } 686 687 *olen += block_size; 688 output += block_size; 689 ctx->unprocessed_len = 0; 690 691 input += copy_len; 692 ilen -= copy_len; 693 } 694 695 /* 696 * Cache final, incomplete block 697 */ 698 if (0 != ilen) { 699 /* Encryption: only cache partial blocks 700 * Decryption w/ padding: always keep at least one whole block 701 * Decryption w/o padding: only cache partial blocks 702 */ 703 copy_len = ilen % block_size; 704 if (copy_len == 0 && 705 ctx->operation == MBEDTLS_DECRYPT && 706 NULL != ctx->add_padding) { 707 copy_len = block_size; 708 } 709 710 memcpy(ctx->unprocessed_data, &(input[ilen - copy_len]), 711 copy_len); 712 713 ctx->unprocessed_len += copy_len; 714 ilen -= copy_len; 715 } 716 717 /* 718 * Process remaining full blocks 719 */ 720 if (ilen) { 721 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 722 ctx->operation, 723 ilen, ctx->iv, 724 input, 725 output))) { 726 return ret; 727 } 728 729 *olen += ilen; 730 } 731 732 return 0; 733 } 734#endif /* MBEDTLS_CIPHER_MODE_CBC */ 735 736#if defined(MBEDTLS_CIPHER_MODE_CFB) 737 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) { 738 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx, 739 ctx->operation, ilen, 740 &ctx->unprocessed_len, 741 ctx->iv, 742 input, output))) { 743 return ret; 744 } 745 746 *olen = ilen; 747 748 return 0; 749 } 750#endif /* MBEDTLS_CIPHER_MODE_CFB */ 751 752#if defined(MBEDTLS_CIPHER_MODE_OFB) 753 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) { 754 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx, 755 ilen, 756 &ctx->unprocessed_len, 757 ctx->iv, 758 input, output))) { 759 return ret; 760 } 761 762 *olen = ilen; 763 764 return 0; 765 } 766#endif /* MBEDTLS_CIPHER_MODE_OFB */ 767 768#if defined(MBEDTLS_CIPHER_MODE_CTR) 769 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) { 770 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx, 771 ilen, 772 &ctx->unprocessed_len, 773 ctx->iv, 774 ctx->unprocessed_data, 775 input, output))) { 776 return ret; 777 } 778 779 *olen = ilen; 780 781 return 0; 782 } 783#endif /* MBEDTLS_CIPHER_MODE_CTR */ 784 785#if defined(MBEDTLS_CIPHER_MODE_XTS) 786 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) { 787 if (ctx->unprocessed_len > 0) { 788 /* We can only process an entire data unit at a time. */ 789 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 790 } 791 792 ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx, 793 ctx->operation, 794 ilen, 795 ctx->iv, 796 input, 797 output); 798 if (ret != 0) { 799 return ret; 800 } 801 802 *olen = ilen; 803 804 return 0; 805 } 806#endif /* MBEDTLS_CIPHER_MODE_XTS */ 807 808#if defined(MBEDTLS_CIPHER_MODE_STREAM) 809 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) { 810 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx, 811 ilen, input, 812 output))) { 813 return ret; 814 } 815 816 *olen = ilen; 817 818 return 0; 819 } 820#endif /* MBEDTLS_CIPHER_MODE_STREAM */ 821 822 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 823} 824 825#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 826#if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 827/* 828 * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len 829 */ 830static void add_pkcs_padding(unsigned char *output, size_t output_len, 831 size_t data_len) 832{ 833 size_t padding_len = output_len - data_len; 834 unsigned char i; 835 836 for (i = 0; i < padding_len; i++) { 837 output[data_len + i] = (unsigned char) padding_len; 838 } 839} 840 841static int get_pkcs_padding(unsigned char *input, size_t input_len, 842 size_t *data_len) 843{ 844 size_t i, pad_idx; 845 unsigned char padding_len; 846 847 if (NULL == input || NULL == data_len) { 848 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 849 } 850 851 padding_len = input[input_len - 1]; 852 *data_len = input_len - padding_len; 853 854 mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len); 855 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0)); 856 857 /* The number of bytes checked must be independent of padding_len, 858 * so pick input_len, which is usually 8 or 16 (one block) */ 859 pad_idx = input_len - padding_len; 860 for (i = 0; i < input_len; i++) { 861 mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx); 862 mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len); 863 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different)); 864 } 865 866 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING); 867} 868#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ 869 870#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 871/* 872 * One and zeros padding: fill with 80 00 ... 00 873 */ 874static void add_one_and_zeros_padding(unsigned char *output, 875 size_t output_len, size_t data_len) 876{ 877 size_t padding_len = output_len - data_len; 878 unsigned char i = 0; 879 880 output[data_len] = 0x80; 881 for (i = 1; i < padding_len; i++) { 882 output[data_len + i] = 0x00; 883 } 884} 885 886static int get_one_and_zeros_padding(unsigned char *input, size_t input_len, 887 size_t *data_len) 888{ 889 if (NULL == input || NULL == data_len) { 890 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 891 } 892 893 mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE; 894 mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE; 895 896 *data_len = 0; 897 898 for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) { 899 mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]); 900 901 mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding); 902 903 *data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len); 904 905 bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad); 906 907 in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero)); 908 } 909 910 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING); 911} 912#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */ 913 914#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 915/* 916 * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length 917 */ 918static void add_zeros_and_len_padding(unsigned char *output, 919 size_t output_len, size_t data_len) 920{ 921 size_t padding_len = output_len - data_len; 922 unsigned char i = 0; 923 924 for (i = 1; i < padding_len; i++) { 925 output[data_len + i - 1] = 0x00; 926 } 927 output[output_len - 1] = (unsigned char) padding_len; 928} 929 930static int get_zeros_and_len_padding(unsigned char *input, size_t input_len, 931 size_t *data_len) 932{ 933 size_t i, pad_idx; 934 unsigned char padding_len; 935 mbedtls_ct_condition_t bad; 936 937 if (NULL == input || NULL == data_len) { 938 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 939 } 940 941 padding_len = input[input_len - 1]; 942 *data_len = input_len - padding_len; 943 944 /* Avoid logical || since it results in a branch */ 945 bad = mbedtls_ct_uint_gt(padding_len, input_len); 946 bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0)); 947 948 /* The number of bytes checked must be independent of padding_len */ 949 pad_idx = input_len - padding_len; 950 for (i = 0; i < input_len - 1; i++) { 951 mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx); 952 mbedtls_ct_condition_t nonzero_pad_byte; 953 nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i])); 954 bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte); 955 } 956 957 return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING); 958} 959#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */ 960 961#if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 962/* 963 * Zero padding: fill with 00 ... 00 964 */ 965static void add_zeros_padding(unsigned char *output, 966 size_t output_len, size_t data_len) 967{ 968 memset(output + data_len, 0, output_len - data_len); 969} 970 971static int get_zeros_padding(unsigned char *input, size_t input_len, 972 size_t *data_len) 973{ 974 size_t i; 975 mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done; 976 977 if (NULL == input || NULL == data_len) { 978 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 979 } 980 981 *data_len = 0; 982 for (i = input_len; i > 0; i--) { 983 prev_done = done; 984 done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0)); 985 *data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len); 986 } 987 988 return 0; 989} 990#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */ 991 992/* 993 * No padding: don't pad :) 994 * 995 * There is no add_padding function (check for NULL in mbedtls_cipher_finish) 996 * but a trivial get_padding function 997 */ 998static int get_no_padding(unsigned char *input, size_t input_len, 999 size_t *data_len) 1000{ 1001 if (NULL == input || NULL == data_len) { 1002 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1003 } 1004 1005 *data_len = input_len; 1006 1007 return 0; 1008} 1009#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1010 1011int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx, 1012 unsigned char *output, size_t *olen) 1013{ 1014 if (ctx->cipher_info == NULL) { 1015 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1016 } 1017 1018#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1019 if (ctx->psa_enabled == 1) { 1020 /* While PSA Crypto has an API for multipart 1021 * operations, we currently don't make it 1022 * accessible through the cipher layer. */ 1023 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1024 } 1025#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1026 1027 *olen = 0; 1028 1029#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 1030 /* CBC mode requires padding so we make sure a call to 1031 * mbedtls_cipher_set_padding_mode has been done successfully. */ 1032 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1033 if (ctx->get_padding == NULL) { 1034 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1035 } 1036 } 1037#endif 1038 1039 if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1040 MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1041 MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1042 MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1043 MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1044 MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1045 MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1046 return 0; 1047 } 1048 1049 if ((MBEDTLS_CIPHER_CHACHA20 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) || 1050 (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) { 1051 return 0; 1052 } 1053 1054 if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1055 if (ctx->unprocessed_len != 0) { 1056 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1057 } 1058 1059 return 0; 1060 } 1061 1062#if defined(MBEDTLS_CIPHER_MODE_CBC) 1063 if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1064 int ret = 0; 1065 1066 if (MBEDTLS_ENCRYPT == ctx->operation) { 1067 /* check for 'no padding' mode */ 1068 if (NULL == ctx->add_padding) { 1069 if (0 != ctx->unprocessed_len) { 1070 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1071 } 1072 1073 return 0; 1074 } 1075 1076 ctx->add_padding(ctx->unprocessed_data, mbedtls_cipher_get_iv_size(ctx), 1077 ctx->unprocessed_len); 1078 } else if (mbedtls_cipher_get_block_size(ctx) != ctx->unprocessed_len) { 1079 /* 1080 * For decrypt operations, expect a full block, 1081 * or an empty block if no padding 1082 */ 1083 if (NULL == ctx->add_padding && 0 == ctx->unprocessed_len) { 1084 return 0; 1085 } 1086 1087 return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED; 1088 } 1089 1090 /* cipher block */ 1091 if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx, 1092 ctx->operation, 1093 mbedtls_cipher_get_block_size( 1094 ctx), 1095 ctx->iv, 1096 ctx->unprocessed_data, 1097 output))) { 1098 return ret; 1099 } 1100 1101 /* Set output size for decryption */ 1102 if (MBEDTLS_DECRYPT == ctx->operation) { 1103 return ctx->get_padding(output, mbedtls_cipher_get_block_size(ctx), 1104 olen); 1105 } 1106 1107 /* Set output size for encryption */ 1108 *olen = mbedtls_cipher_get_block_size(ctx); 1109 return 0; 1110 } 1111#else 1112 ((void) output); 1113#endif /* MBEDTLS_CIPHER_MODE_CBC */ 1114 1115 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1116} 1117 1118#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) 1119int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx, 1120 mbedtls_cipher_padding_t mode) 1121{ 1122 if (NULL == ctx->cipher_info || 1123 MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1124 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1125 } 1126 1127#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1128 if (ctx->psa_enabled == 1) { 1129 /* While PSA Crypto knows about CBC padding 1130 * schemes, we currently don't make them 1131 * accessible through the cipher layer. */ 1132 if (mode != MBEDTLS_PADDING_NONE) { 1133 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1134 } 1135 1136 return 0; 1137 } 1138#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1139 1140 switch (mode) { 1141#if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 1142 case MBEDTLS_PADDING_PKCS7: 1143 ctx->add_padding = add_pkcs_padding; 1144 ctx->get_padding = get_pkcs_padding; 1145 break; 1146#endif 1147#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS) 1148 case MBEDTLS_PADDING_ONE_AND_ZEROS: 1149 ctx->add_padding = add_one_and_zeros_padding; 1150 ctx->get_padding = get_one_and_zeros_padding; 1151 break; 1152#endif 1153#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN) 1154 case MBEDTLS_PADDING_ZEROS_AND_LEN: 1155 ctx->add_padding = add_zeros_and_len_padding; 1156 ctx->get_padding = get_zeros_and_len_padding; 1157 break; 1158#endif 1159#if defined(MBEDTLS_CIPHER_PADDING_ZEROS) 1160 case MBEDTLS_PADDING_ZEROS: 1161 ctx->add_padding = add_zeros_padding; 1162 ctx->get_padding = get_zeros_padding; 1163 break; 1164#endif 1165 case MBEDTLS_PADDING_NONE: 1166 ctx->add_padding = NULL; 1167 ctx->get_padding = get_no_padding; 1168 break; 1169 1170 default: 1171 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1172 } 1173 1174 return 0; 1175} 1176#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ 1177 1178#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C) 1179int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx, 1180 unsigned char *tag, size_t tag_len) 1181{ 1182 if (ctx->cipher_info == NULL) { 1183 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1184 } 1185 1186 if (MBEDTLS_ENCRYPT != ctx->operation) { 1187 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1188 } 1189 1190#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1191 if (ctx->psa_enabled == 1) { 1192 /* While PSA Crypto has an API for multipart 1193 * operations, we currently don't make it 1194 * accessible through the cipher layer. */ 1195 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1196 } 1197#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1198 1199#if defined(MBEDTLS_GCM_C) 1200 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1201 size_t output_length; 1202 /* The code here doesn't yet support alternative implementations 1203 * that can delay up to a block of output. */ 1204 return mbedtls_gcm_finish((mbedtls_gcm_context *) ctx->cipher_ctx, 1205 NULL, 0, &output_length, 1206 tag, tag_len); 1207 } 1208#endif 1209 1210#if defined(MBEDTLS_CHACHAPOLY_C) 1211 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1212 /* Don't allow truncated MAC for Poly1305 */ 1213 if (tag_len != 16U) { 1214 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1215 } 1216 1217 return mbedtls_chachapoly_finish( 1218 (mbedtls_chachapoly_context *) ctx->cipher_ctx, tag); 1219 } 1220#endif 1221 1222 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1223} 1224 1225int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx, 1226 const unsigned char *tag, size_t tag_len) 1227{ 1228 unsigned char check_tag[16]; 1229 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1230 1231 if (ctx->cipher_info == NULL) { 1232 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1233 } 1234 1235 if (MBEDTLS_DECRYPT != ctx->operation) { 1236 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1237 } 1238 1239#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1240 if (ctx->psa_enabled == 1) { 1241 /* While PSA Crypto has an API for multipart 1242 * operations, we currently don't make it 1243 * accessible through the cipher layer. */ 1244 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1245 } 1246#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1247 1248 /* Status to return on a non-authenticated algorithm. */ 1249 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1250 1251#if defined(MBEDTLS_GCM_C) 1252 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1253 size_t output_length; 1254 /* The code here doesn't yet support alternative implementations 1255 * that can delay up to a block of output. */ 1256 1257 if (tag_len > sizeof(check_tag)) { 1258 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1259 } 1260 1261 if (0 != (ret = mbedtls_gcm_finish( 1262 (mbedtls_gcm_context *) ctx->cipher_ctx, 1263 NULL, 0, &output_length, 1264 check_tag, tag_len))) { 1265 return ret; 1266 } 1267 1268 /* Check the tag in "constant-time" */ 1269 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) { 1270 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1271 goto exit; 1272 } 1273 } 1274#endif /* MBEDTLS_GCM_C */ 1275 1276#if defined(MBEDTLS_CHACHAPOLY_C) 1277 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1278 /* Don't allow truncated MAC for Poly1305 */ 1279 if (tag_len != sizeof(check_tag)) { 1280 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1281 } 1282 1283 ret = mbedtls_chachapoly_finish( 1284 (mbedtls_chachapoly_context *) ctx->cipher_ctx, check_tag); 1285 if (ret != 0) { 1286 return ret; 1287 } 1288 1289 /* Check the tag in "constant-time" */ 1290 if (mbedtls_ct_memcmp(tag, check_tag, tag_len) != 0) { 1291 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1292 goto exit; 1293 } 1294 } 1295#endif /* MBEDTLS_CHACHAPOLY_C */ 1296 1297exit: 1298 mbedtls_platform_zeroize(check_tag, tag_len); 1299 return ret; 1300} 1301#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */ 1302 1303/* 1304 * Packet-oriented wrapper for non-AEAD modes 1305 */ 1306int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx, 1307 const unsigned char *iv, size_t iv_len, 1308 const unsigned char *input, size_t ilen, 1309 unsigned char *output, size_t *olen) 1310{ 1311 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1312 size_t finish_olen; 1313 1314#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1315 if (ctx->psa_enabled == 1) { 1316 /* As in the non-PSA case, we don't check that 1317 * a key has been set. If not, the key slot will 1318 * still be in its default state of 0, which is 1319 * guaranteed to be invalid, hence the PSA-call 1320 * below will gracefully fail. */ 1321 mbedtls_cipher_context_psa * const cipher_psa = 1322 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1323 1324 psa_status_t status; 1325 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT; 1326 size_t part_len; 1327 1328 if (ctx->operation == MBEDTLS_DECRYPT) { 1329 status = psa_cipher_decrypt_setup(&cipher_op, 1330 cipher_psa->slot, 1331 cipher_psa->alg); 1332 } else if (ctx->operation == MBEDTLS_ENCRYPT) { 1333 status = psa_cipher_encrypt_setup(&cipher_op, 1334 cipher_psa->slot, 1335 cipher_psa->alg); 1336 } else { 1337 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1338 } 1339 1340 /* In the following, we can immediately return on an error, 1341 * because the PSA Crypto API guarantees that cipher operations 1342 * are terminated by unsuccessful calls to psa_cipher_update(), 1343 * and by any call to psa_cipher_finish(). */ 1344 if (status != PSA_SUCCESS) { 1345 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1346 } 1347 1348 if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) { 1349 status = psa_cipher_set_iv(&cipher_op, iv, iv_len); 1350 if (status != PSA_SUCCESS) { 1351 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1352 } 1353 } 1354 1355 status = psa_cipher_update(&cipher_op, 1356 input, ilen, 1357 output, ilen, olen); 1358 if (status != PSA_SUCCESS) { 1359 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1360 } 1361 1362 status = psa_cipher_finish(&cipher_op, 1363 output + *olen, ilen - *olen, 1364 &part_len); 1365 if (status != PSA_SUCCESS) { 1366 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1367 } 1368 1369 *olen += part_len; 1370 return 0; 1371 } 1372#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1373 1374 if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) { 1375 return ret; 1376 } 1377 1378 if ((ret = mbedtls_cipher_reset(ctx)) != 0) { 1379 return ret; 1380 } 1381 1382 if ((ret = mbedtls_cipher_update(ctx, input, ilen, 1383 output, olen)) != 0) { 1384 return ret; 1385 } 1386 1387 if ((ret = mbedtls_cipher_finish(ctx, output + *olen, 1388 &finish_olen)) != 0) { 1389 return ret; 1390 } 1391 1392 *olen += finish_olen; 1393 1394 return 0; 1395} 1396 1397#if defined(MBEDTLS_CIPHER_MODE_AEAD) 1398/* 1399 * Packet-oriented encryption for AEAD modes: internal function used by 1400 * mbedtls_cipher_auth_encrypt_ext(). 1401 */ 1402static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx, 1403 const unsigned char *iv, size_t iv_len, 1404 const unsigned char *ad, size_t ad_len, 1405 const unsigned char *input, size_t ilen, 1406 unsigned char *output, size_t *olen, 1407 unsigned char *tag, size_t tag_len) 1408{ 1409#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1410 if (ctx->psa_enabled == 1) { 1411 /* As in the non-PSA case, we don't check that 1412 * a key has been set. If not, the key slot will 1413 * still be in its default state of 0, which is 1414 * guaranteed to be invalid, hence the PSA-call 1415 * below will gracefully fail. */ 1416 mbedtls_cipher_context_psa * const cipher_psa = 1417 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1418 1419 psa_status_t status; 1420 1421 /* PSA Crypto API always writes the authentication tag 1422 * at the end of the encrypted message. */ 1423 if (output == NULL || tag != output + ilen) { 1424 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1425 } 1426 1427 status = psa_aead_encrypt(cipher_psa->slot, 1428 cipher_psa->alg, 1429 iv, iv_len, 1430 ad, ad_len, 1431 input, ilen, 1432 output, ilen + tag_len, olen); 1433 if (status != PSA_SUCCESS) { 1434 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1435 } 1436 1437 *olen -= tag_len; 1438 return 0; 1439 } 1440#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1441 1442#if defined(MBEDTLS_GCM_C) 1443 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1444 *olen = ilen; 1445 return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, 1446 ilen, iv, iv_len, ad, ad_len, 1447 input, output, tag_len, tag); 1448 } 1449#endif /* MBEDTLS_GCM_C */ 1450#if defined(MBEDTLS_CCM_C) 1451 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1452 *olen = ilen; 1453 return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen, 1454 iv, iv_len, ad, ad_len, input, output, 1455 tag, tag_len); 1456 } 1457#endif /* MBEDTLS_CCM_C */ 1458#if defined(MBEDTLS_CHACHAPOLY_C) 1459 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1460 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1461 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) || 1462 (tag_len != 16U)) { 1463 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1464 } 1465 1466 *olen = ilen; 1467 return mbedtls_chachapoly_encrypt_and_tag(ctx->cipher_ctx, 1468 ilen, iv, ad, ad_len, input, output, tag); 1469 } 1470#endif /* MBEDTLS_CHACHAPOLY_C */ 1471 1472 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1473} 1474 1475/* 1476 * Packet-oriented encryption for AEAD modes: internal function used by 1477 * mbedtls_cipher_auth_encrypt_ext(). 1478 */ 1479static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx, 1480 const unsigned char *iv, size_t iv_len, 1481 const unsigned char *ad, size_t ad_len, 1482 const unsigned char *input, size_t ilen, 1483 unsigned char *output, size_t *olen, 1484 const unsigned char *tag, size_t tag_len) 1485{ 1486#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1487 if (ctx->psa_enabled == 1) { 1488 /* As in the non-PSA case, we don't check that 1489 * a key has been set. If not, the key slot will 1490 * still be in its default state of 0, which is 1491 * guaranteed to be invalid, hence the PSA-call 1492 * below will gracefully fail. */ 1493 mbedtls_cipher_context_psa * const cipher_psa = 1494 (mbedtls_cipher_context_psa *) ctx->cipher_ctx; 1495 1496 psa_status_t status; 1497 1498 /* PSA Crypto API always writes the authentication tag 1499 * at the end of the encrypted message. */ 1500 if (input == NULL || tag != input + ilen) { 1501 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1502 } 1503 1504 status = psa_aead_decrypt(cipher_psa->slot, 1505 cipher_psa->alg, 1506 iv, iv_len, 1507 ad, ad_len, 1508 input, ilen + tag_len, 1509 output, ilen, olen); 1510 if (status == PSA_ERROR_INVALID_SIGNATURE) { 1511 return MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1512 } else if (status != PSA_SUCCESS) { 1513 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 1514 } 1515 1516 return 0; 1517 } 1518#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */ 1519 1520#if defined(MBEDTLS_GCM_C) 1521 if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1522 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1523 1524 *olen = ilen; 1525 ret = mbedtls_gcm_auth_decrypt(ctx->cipher_ctx, ilen, 1526 iv, iv_len, ad, ad_len, 1527 tag, tag_len, input, output); 1528 1529 if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) { 1530 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1531 } 1532 1533 return ret; 1534 } 1535#endif /* MBEDTLS_GCM_C */ 1536#if defined(MBEDTLS_CCM_C) 1537 if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) { 1538 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1539 1540 *olen = ilen; 1541 ret = mbedtls_ccm_auth_decrypt(ctx->cipher_ctx, ilen, 1542 iv, iv_len, ad, ad_len, 1543 input, output, tag, tag_len); 1544 1545 if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) { 1546 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1547 } 1548 1549 return ret; 1550 } 1551#endif /* MBEDTLS_CCM_C */ 1552#if defined(MBEDTLS_CHACHAPOLY_C) 1553 if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) { 1554 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1555 1556 /* ChachaPoly has fixed length nonce and MAC (tag) */ 1557 if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) || 1558 (tag_len != 16U)) { 1559 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1560 } 1561 1562 *olen = ilen; 1563 ret = mbedtls_chachapoly_auth_decrypt(ctx->cipher_ctx, ilen, 1564 iv, ad, ad_len, tag, input, output); 1565 1566 if (ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) { 1567 ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED; 1568 } 1569 1570 return ret; 1571 } 1572#endif /* MBEDTLS_CHACHAPOLY_C */ 1573 1574 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1575} 1576#endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1577 1578#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) 1579/* 1580 * Packet-oriented encryption for AEAD/NIST_KW: public function. 1581 */ 1582int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx, 1583 const unsigned char *iv, size_t iv_len, 1584 const unsigned char *ad, size_t ad_len, 1585 const unsigned char *input, size_t ilen, 1586 unsigned char *output, size_t output_len, 1587 size_t *olen, size_t tag_len) 1588{ 1589#if defined(MBEDTLS_NIST_KW_C) 1590 if ( 1591#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1592 ctx->psa_enabled == 0 && 1593#endif 1594 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1595 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) { 1596 mbedtls_nist_kw_mode_t mode = 1597 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ? 1598 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1599 1600 /* There is no iv, tag or ad associated with KW and KWP, 1601 * so these length should be 0 as documented. */ 1602 if (iv_len != 0 || tag_len != 0 || ad_len != 0) { 1603 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1604 } 1605 1606 (void) iv; 1607 (void) ad; 1608 1609 return mbedtls_nist_kw_wrap(ctx->cipher_ctx, mode, input, ilen, 1610 output, olen, output_len); 1611 } 1612#endif /* MBEDTLS_NIST_KW_C */ 1613 1614#if defined(MBEDTLS_CIPHER_MODE_AEAD) 1615 /* AEAD case: check length before passing on to shared function */ 1616 if (output_len < ilen + tag_len) { 1617 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1618 } 1619 1620 int ret = mbedtls_cipher_aead_encrypt(ctx, iv, iv_len, ad, ad_len, 1621 input, ilen, output, olen, 1622 output + ilen, tag_len); 1623 *olen += tag_len; 1624 return ret; 1625#else 1626 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1627#endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1628} 1629 1630/* 1631 * Packet-oriented decryption for AEAD/NIST_KW: public function. 1632 */ 1633int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx, 1634 const unsigned char *iv, size_t iv_len, 1635 const unsigned char *ad, size_t ad_len, 1636 const unsigned char *input, size_t ilen, 1637 unsigned char *output, size_t output_len, 1638 size_t *olen, size_t tag_len) 1639{ 1640#if defined(MBEDTLS_NIST_KW_C) 1641 if ( 1642#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED) 1643 ctx->psa_enabled == 0 && 1644#endif 1645 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) || 1646 MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) { 1647 mbedtls_nist_kw_mode_t mode = 1648 (MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ? 1649 MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; 1650 1651 /* There is no iv, tag or ad associated with KW and KWP, 1652 * so these length should be 0 as documented. */ 1653 if (iv_len != 0 || tag_len != 0 || ad_len != 0) { 1654 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1655 } 1656 1657 (void) iv; 1658 (void) ad; 1659 1660 return mbedtls_nist_kw_unwrap(ctx->cipher_ctx, mode, input, ilen, 1661 output, olen, output_len); 1662 } 1663#endif /* MBEDTLS_NIST_KW_C */ 1664 1665#if defined(MBEDTLS_CIPHER_MODE_AEAD) 1666 /* AEAD case: check length before passing on to shared function */ 1667 if (ilen < tag_len || output_len < ilen - tag_len) { 1668 return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; 1669 } 1670 1671 return mbedtls_cipher_aead_decrypt(ctx, iv, iv_len, ad, ad_len, 1672 input, ilen - tag_len, output, olen, 1673 input + ilen - tag_len, tag_len); 1674#else 1675 return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; 1676#endif /* MBEDTLS_CIPHER_MODE_AEAD */ 1677} 1678#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */ 1679 1680#endif /* MBEDTLS_CIPHER_C */ 1681